<!DOCTYPE html>
<html class='v2' dir='ltr' lang='en'>
<head>
<link href='https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css' rel='stylesheet' type='text/css'/>
<meta content='width=1100' name='viewport'/>
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>
<meta content='blogger' name='generator'/>
<link href='https://scarybeastsecurity.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/>
<link href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' rel='canonical'/>
<link rel="alternate" type="application/atom+xml" title="Security - Atom" href="https://scarybeastsecurity.blogspot.com/feeds/posts/default" />
<link rel="alternate" type="application/rss+xml" title="Security - RSS" href="https://scarybeastsecurity.blogspot.com/feeds/posts/default?alt=rss" />
<link rel="service.post" type="application/atom+xml" title="Security - Atom" href="https://www.blogger.com/feeds/3024470480937744884/posts/default" />

<link rel="alternate" type="application/atom+xml" title="Security - Atom" href="https://scarybeastsecurity.blogspot.com/feeds/8002854809504309795/comments/default" />
<!--[if IE]><script type="text/javascript" src="https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js"></script>
<![endif]-->
<meta content='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' property='og:url'/>
<meta content='Alert: vsftpd download backdoored' property='og:title'/>
<meta content='[With thanks to Mathias Kresin for being the first to notice]   An incident, what fun! Earlier today, I was alerted that a vsftpd download f...' property='og:description'/>
<!--[if IE]> <script> (function() { var html5 = ("abbr,article,aside,audio,canvas,datalist,details," + "figure,footer,header,hgroup,mark,menu,meter,nav,output," + "progress,section,time,video").split(','); for (var i = 0; i < html5.length; i++) { document.createElement(html5[i]); } try { document.execCommand('BackgroundImageCache', false, true); } catch(e) {} })(); </script> <![endif]-->
<title>Security: Alert: vsftpd download backdoored</title>
<style id='page-skin-1' type='text/css'><!--
/*
-----------------------------------------------
Blogger Template Style
Name:     Simple
Designer: Blogger
URL:      www.blogger.com
----------------------------------------------- */
/* Content
----------------------------------------------- */
body {
font: normal normal 12px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #222222;
background: #cfe7d1 url(//themes.googleusercontent.com/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ) repeat fixed top center /* Credit: gaffera (https://www.istockphoto.com/googleimages.php?id=4072573&amp;platform=blogger) */;
padding: 0 0 0 0;
background-attachment: scroll;
}
html body .content-outer {
min-width: 0;
max-width: 100%;
width: 100%;
}
h2 {
font-size: 22px;
}
a:link {
text-decoration:none;
color: #249fa3;
}
a:visited {
text-decoration:none;
color: #7c93a1;
}
a:hover {
text-decoration:underline;
color: #5dc2c0;
}
.body-fauxcolumn-outer .fauxcolumn-inner {
background: transparent url(https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png) repeat scroll top left;
_background-image: none;
}
.body-fauxcolumn-outer .cap-top {
position: absolute;
z-index: 1;
height: 400px;
width: 100%;
}
.body-fauxcolumn-outer .cap-top .cap-left {
width: 100%;
background: transparent url(https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png) repeat-x scroll top left;
_background-image: none;
}
.content-outer {
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .15);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .15);
-goog-ms-box-shadow: 0 0 0 #333333;
box-shadow: 0 0 0 rgba(0, 0, 0, .15);
margin-bottom: 1px;
}
.content-inner {
padding: 0 0;
}
.main-outer, .footer-outer {
background-color: #ffffff;
}
/* Header
----------------------------------------------- */
.header-outer {
background: transparent none repeat-x scroll 0 -400px;
_background-image: none;
}
.Header h1 {
font: normal normal 70px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #249fa3;
text-shadow: 0 0 0 rgba(0, 0, 0, .2);
}
.Header h1 a {
color: #249fa3;
}
.Header .description {
font-size: 200%;
color: #444444;
}
.header-inner .Header .titlewrapper {
padding: 22px 30px;
}
.header-inner .Header .descriptionwrapper {
padding: 0 30px;
}
/* Tabs
----------------------------------------------- */
.tabs-inner .section:first-child {
border-top: 0 solid #dddddd;
}
.tabs-inner .section:first-child ul {
margin-top: -0;
border-top: 0 solid #dddddd;
border-left: 0 solid #dddddd;
border-right: 0 solid #dddddd;
}
.tabs-inner .widget ul {
background: transparent none repeat-x scroll 0 -800px;
_background-image: none;
border-bottom: 0 solid #dddddd;
margin-top: 0;
margin-left: -0;
margin-right: -0;
}
.tabs-inner .widget li a {
display: inline-block;
padding: .6em 1em;
font: normal normal 20px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #00818b;
border-left: 0 solid #ffffff;
border-right: 0 solid #dddddd;
}
.tabs-inner .widget li:first-child a {
border-left: none;
}
.tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover {
color: #444444;
background-color: transparent;
text-decoration: none;
}
/* Columns
----------------------------------------------- */
.main-outer {
border-top: 1px solid #dddddd;
}
.fauxcolumn-left-outer .fauxcolumn-inner {
border-right: 1px solid #dddddd;
}
.fauxcolumn-right-outer .fauxcolumn-inner {
border-left: 1px solid #dddddd;
}
/* Headings
----------------------------------------------- */
div.widget > h2,
div.widget h2.title {
margin: 0 0 1em 0;
font: normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
color: #000000;
}
/* Widgets
----------------------------------------------- */
.widget .zippy {
color: #999999;
text-shadow: 2px 2px 1px rgba(0, 0, 0, .1);
}
.widget .popular-posts ul {
list-style: none;
}
/* Posts
----------------------------------------------- */
h2.date-header {
font: normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
}
.date-header span {
background-color: transparent;
color: #222222;
padding: inherit;
letter-spacing: inherit;
margin: inherit;
}
.main-inner {
padding-top: 30px;
padding-bottom: 30px;
}
.main-inner .column-center-inner {
padding: 0 15px;
}
.main-inner .column-center-inner .section {
margin: 0 15px;
}
.post {
margin: 0 0 25px 0;
}
h3.post-title, .comments h4 {
font: normal normal 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif;
margin: .75em 0 0;
}
.post-body {
font-size: 110%;
line-height: 1.4;
position: relative;
}
.post-body img, .post-body .tr-caption-container, .Profile img, .Image img,
.BlogList .item-thumbnail img {
padding: 2px;
background: #ffffff;
border: 1px solid #eeeeee;
-moz-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1);
-webkit-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1);
box-shadow: 1px 1px 5px rgba(0, 0, 0, .1);
}
.post-body img, .post-body .tr-caption-container {
padding: 5px;
}
.post-body .tr-caption-container {
color: #222222;
}
.post-body .tr-caption-container img {
padding: 0;
background: transparent;
border: none;
-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .1);
-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .1);
box-shadow: 0 0 0 rgba(0, 0, 0, .1);
}
.post-header {
margin: 0 0 1.5em;
line-height: 1.6;
font-size: 90%;
}
.post-footer {
margin: 20px -2px 0;
padding: 5px 10px;
color: #666666;
background-color: #f9f9f9;
border-bottom: 1px solid #eeeeee;
line-height: 1.6;
font-size: 90%;
}
#comments .comment-author {
padding-top: 1.5em;
border-top: 1px solid #dddddd;
background-position: 0 1.5em;
}
#comments .comment-author:first-child {
padding-top: 0;
border-top: none;
}
.avatar-image-container {
margin: .2em 0 0;
}
#comments .avatar-image-container img {
border: 1px solid #eeeeee;
}
/* Comments
----------------------------------------------- */
.comments .comments-content .icon.blog-author {
background-repeat: no-repeat;
background-image: url();
}
.comments .comments-content .loadmore a {
border-top: 1px solid #999999;
border-bottom: 1px solid #999999;
}
.comments .comment-thread.inline-thread {
background-color: #f9f9f9;
}
.comments .continue {
border-top: 2px solid #999999;
}
/* Accents
---------------------------------------------- */
.section-columns td.columns-cell {
border-left: 1px solid #dddddd;
}
.blog-pager {
background: transparent none no-repeat scroll top center;
}
.blog-pager-older-link, .home-link,
.blog-pager-newer-link {
background-color: #ffffff;
padding: 5px;
}
.footer-outer {
border-top: 0 dashed #bbbbbb;
}
/* Mobile
----------------------------------------------- */
body.mobile  {
background-size: auto;
}
.mobile .body-fauxcolumn-outer {
background: transparent none repeat scroll top left;
}
.mobile .body-fauxcolumn-outer .cap-top {
background-size: 100% auto;
}
.mobile .content-outer {
-webkit-box-shadow: 0 0 3px rgba(0, 0, 0, .15);
box-shadow: 0 0 3px rgba(0, 0, 0, .15);
}
.mobile .tabs-inner .widget ul {
margin-left: 0;
margin-right: 0;
}
.mobile .post {
margin: 0;
}
.mobile .main-inner .column-center-inner .section {
margin: 0;
}
.mobile .date-header span {
padding: 0.1em 10px;
margin: 0 -10px;
}
.mobile h3.post-title {
margin: 0;
}
.mobile .blog-pager {
background: transparent none no-repeat scroll top center;
}
.mobile .footer-outer {
border-top: none;
}
.mobile .main-inner, .mobile .footer-inner {
background-color: #ffffff;
}
.mobile-index-contents {
color: #222222;
}
.mobile-link-button {
background-color: #249fa3;
}
.mobile-link-button a:link, .mobile-link-button a:visited {
color: #ffffff;
}
.mobile .tabs-inner .section:first-child {
border-top: none;
}
.mobile .tabs-inner .PageList .widget-content {
background-color: transparent;
color: #444444;
border-top: 0 solid #dddddd;
border-bottom: 0 solid #dddddd;
}
.mobile .tabs-inner .PageList .widget-content .pagelist-arrow {
border-left: 1px solid #dddddd;
}

--></style>
<style id='template-skin-1' type='text/css'><!--
body {
min-width: 860px;
}
.content-outer, .content-fauxcolumn-outer, .region-inner {
min-width: 860px;
max-width: 860px;
_width: 860px;
}
.main-inner .columns {
padding-left: 0px;
padding-right: 160px;
}
.main-inner .fauxcolumn-center-outer {
left: 0px;
right: 160px;
/* IE6 does not respect left and right together */
_width: expression(this.parentNode.offsetWidth -
parseInt("0px") -
parseInt("160px") + 'px');
}
.main-inner .fauxcolumn-left-outer {
width: 0px;
}
.main-inner .fauxcolumn-right-outer {
width: 160px;
}
.main-inner .column-left-outer {
width: 0px;
right: 100%;
margin-left: -0px;
}
.main-inner .column-right-outer {
width: 160px;
margin-right: -160px;
}
#layout {
min-width: 0;
}
#layout .content-outer {
min-width: 0;
width: 800px;
}
#layout .region-inner {
min-width: 0;
width: auto;
}
body#layout div.add_widget {
padding: 8px;
}
body#layout div.add_widget a {
margin-left: 32px;
}
--></style>
<style>
    body {background-image:url(\/\/themes.googleusercontent.com\/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ);}
    
@media (max-width: 200px) { body {background-image:url(\/\/themes.googleusercontent.com\/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ&options=w200);}}
@media (max-width: 400px) and (min-width: 201px) { body {background-image:url(\/\/themes.googleusercontent.com\/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ&options=w400);}}
@media (max-width: 800px) and (min-width: 401px) { body {background-image:url(\/\/themes.googleusercontent.com\/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ&options=w800);}}
@media (max-width: 1200px) and (min-width: 801px) { body {background-image:url(\/\/themes.googleusercontent.com\/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ&options=w1200);}}
/* Last tag covers anything over one higher than the previous max-size cap. */
@media (min-width: 1201px) { body {background-image:url(\/\/themes.googleusercontent.com\/image?id=1x_TqXo6-7t6y2ZiuOyQ2Bk6Zod9CTtyKYtRui0IeQJe6hVlJcQiXYG2xQGkxKvl6iZMJ&options=w1600);}}
  </style>
<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3024470480937744884&amp;zx=6ad3de79-58a8-4634-9bf4-da52af7ff4bd' media='none' onload='if(media!=&#39;all&#39;)media=&#39;all&#39;' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3024470480937744884&amp;zx=6ad3de79-58a8-4634-9bf4-da52af7ff4bd' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script type="text/javascript" language="javascript">
  // Supply ads personalization default for EEA readers
  // See https://www.blogger.com/go/adspersonalization
  adsbygoogle = window.adsbygoogle || [];
  if (typeof adsbygoogle.requestNonPersonalizedAds === 'undefined') {
    adsbygoogle.requestNonPersonalizedAds = 1;
  }
</script>


</head>
<body class='loading variant-wide'>
<div class='navbar section' id='navbar' name='Navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript">
    function setAttributeOnload(object, attribute, val) {
      if(window.addEventListener) {
        window.addEventListener('load',
          function(){ object[attribute] = val; }, false);
      } else {
        window.attachEvent('onload', function(){ object[attribute] = val; });
      }
    }
  </script>
<div id="navbar-iframe-container"></div>
<script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
<script type="text/javascript">
      gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() {
        if (gapi.iframes && gapi.iframes.getContext) {
          gapi.iframes.getContext().openChild({
              url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d3024470480937744884\x26blogName\x3dSecurity\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://scarybeastsecurity.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://scarybeastsecurity.blogspot.com/\x26targetPostID\x3d8002854809504309795\x26blogPostOrPageUrl\x3dhttps://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html\x26vt\x3d-2758100802209579187',
              where: document.getElementById("navbar-iframe-container"),
              id: "navbar-iframe"
          });
        }
      });
    </script><script type="text/javascript">
(function() {
var script = document.createElement('script');
script.type = 'text/javascript';
script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js';
var head = document.getElementsByTagName('head')[0];
if (head) {
head.appendChild(script);
}})();
</script>
</div></div>
<div class='body-fauxcolumns'>
<div class='fauxcolumn-outer body-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content'>
<div class='content-fauxcolumns'>
<div class='fauxcolumn-outer content-fauxcolumn-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<div class='content-outer'>
<div class='content-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left content-fauxborder-left'>
<div class='fauxborder-right content-fauxborder-right'></div>
<div class='content-inner'>
<header>
<div class='header-outer'>
<div class='header-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left header-fauxborder-left'>
<div class='fauxborder-right header-fauxborder-right'></div>
<div class='region-inner header-inner'>
<div class='header section' id='header' name='Header'><div class='widget Header' data-version='1' id='Header1'>
<div id='header-inner'>
<div class='titlewrapper'>
<h1 class='title'>
<a href='https://scarybeastsecurity.blogspot.com/'>
Security
</a>
</h1>
</div>
<div class='descriptionwrapper'>
<p class='description'><span>Hacking everything, by Chris Evans / scarybeasts</span></p>
</div>
</div>
</div></div>
</div>
</div>
<div class='header-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</header>
<div class='tabs-outer'>
<div class='tabs-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left tabs-fauxborder-left'>
<div class='fauxborder-right tabs-fauxborder-right'></div>
<div class='region-inner tabs-inner'>
<div class='tabs no-items section' id='crosscol' name='Cross-Column'></div>
<div class='tabs no-items section' id='crosscol-overflow' name='Cross-Column 2'></div>
</div>
</div>
<div class='tabs-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='main-outer'>
<div class='main-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left main-fauxborder-left'>
<div class='fauxborder-right main-fauxborder-right'></div>
<div class='region-inner main-inner'>
<div class='columns fauxcolumns'>
<div class='fauxcolumn-outer fauxcolumn-center-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-left-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<div class='fauxcolumn-outer fauxcolumn-right-outer'>
<div class='cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left'>
<div class='fauxborder-right'></div>
<div class='fauxcolumn-inner'>
</div>
</div>
<div class='cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<!-- corrects IE6 width calculation -->
<div class='columns-inner'>
<div class='column-center-outer'>
<div class='column-center-inner'>
<div class='main section' id='main' name='Main'><div class='widget Blog' data-version='1' id='Blog1'>
<div class='blog-posts hfeed'>

          <div class="date-outer">
        
<h2 class='date-header'><span>Sunday, July 3, 2011</span></h2>

          <div class="date-posts">
        
<div class='post-outer'>
<div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'>
<meta content='3024470480937744884' itemprop='blogId'/>
<meta content='8002854809504309795' itemprop='postId'/>
<a name='8002854809504309795'></a>
<h3 class='post-title entry-title' itemprop='name'>
Alert: vsftpd download backdoored
</h3>
<div class='post-header'>
<div class='post-header-line-1'></div>
</div>
<div class='post-body entry-content' id='post-body-8002854809504309795' itemprop='description articleBody'>
<i>[With thanks to Mathias Kresin for being the first to notice]</i><br /><br />An incident, what fun! Earlier today, I was alerted that a vsftpd download from the master site (vsftpd-2.3.4.tar.gz) appeared to contain a backdoor:<br /><br /><a href="http://pastebin.com/AetT9sS5">http://pastebin.com/AetT9sS5</a><br /><br />The bad tarball is (sha256sum):<br /><code><br />2a4bb16562e0d594c37b4dd3b426cb012aa8457151d4718a5abd226cef9be3a5  vsftpd-2.3.4.tar.gz<br /></code><br />And, of course, the GPG signature notices:<br /><code><br />$ gpg ./vsftpd-2.3.4.tar.gz.asc<br />gpg: Signature made Tue 15 Feb 2011 02:38:11 PM PST using DSA key ID 3C0E751C<br />gpg: BAD signature from "Chris Evans &lt;chris@scary.beasts.org&gt;"<br /></code><br />Check your signatures :)<br /><br />Ideally, you'll see something like:<br /><code><br />gpg: Signature made Tue 15 Feb 2011 02:38:11 PM PST using DSA key ID 3C0E751C<br />gpg: Good signature from "Chris Evans &lt;chris@scary.beasts.org&gt;"<br />Primary key fingerprint: 8660 FD32 91B1 84CD BC2F  6418 AA62 EC46 3C0E 751C<br /></code><br /><br />Signatures aside, I also took the liberty of moving most of the vsftpd site and latest download to a hosting provider I have more faith in:<br /><br /><a href="https://security.appspot.com/vsftpd.html">https://security.appspot.com/vsftpd.html</a><br /><a href="https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz">https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz</a><br /><a href="https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc">https://security.appspot.com/downloads/vsftpd-2.3.4.tar.gz.asc</a><br /><br />The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. There is no obfuscation. More interestingly, there's no attempt to broadcast any notification of installation of the bad package. So it's unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness. Therefore, perhaps someone was just having some lulz instead of seriously trying to cause trouble.
<div style='clear: both;'></div>
</div>
<div class='post-footer'>
<div class='post-footer-line post-footer-line-1'>
<span class='post-author vcard'>
Posted by
<span class='fn' itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'>
<meta content='https://www.blogger.com/profile/01004765479735675808' itemprop='url'/>
<a class='g-profile' href='https://www.blogger.com/profile/01004765479735675808' rel='author' title='author profile'>
<span itemprop='name'>Chris</span>
</a>
</span>
</span>
<span class='post-timestamp'>
at
<meta content='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' itemprop='url'/>
<a class='timestamp-link' href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2011-07-03T02:10:00-07:00'>2:10 AM</abbr></a>
</span>
<span class='post-comment-link'>
</span>
<span class='post-icons'>
<span class='item-control blog-admin pid-1928782341'>
<a href='https://www.blogger.com/post-edit.g?blogID=3024470480937744884&postID=8002854809504309795&from=pencil' title='Edit Post'>
<img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/>
</a>
</span>
</span>
<div class='post-share-buttons goog-inline-block'>
</div>
</div>
<div class='post-footer-line post-footer-line-2'>
<span class='post-labels'>
</span>
</div>
<div class='post-footer-line post-footer-line-3'>
<span class='post-location'>
</span>
</div>
</div>
</div>
<div class='comments' id='comments'>
<a name='comments'></a>
<h4>34 comments:</h4>
<div id='Blog1_comments-block-wrapper'>
<dl class='avatar-comment-indent' id='comments-block'>
<dt class='comment-author ' id='c6128663047737159759'>
<a name='c6128663047737159759'></a>
<div class="avatar-image-container vcard"><span dir="ltr"><a href="https://www.blogger.com/profile/15728390359795931865" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-6128663047737159759-15728390359795931865"><img src="https://resources.blogblog.com/img/blank.gif" width="35" height="35" class="delayLoad" style="display: none;" longdesc="//3.bp.blogspot.com/_OpJw0jXzJL0/TE1pHv9NwnI/AAAAAAAAAAk/2O6D0tx1EUw/S45-s35/renaborder.png" alt="" title="&#11041;">

<noscript><img src="//3.bp.blogspot.com/_OpJw0jXzJL0/TE1pHv9NwnI/AAAAAAAAAAk/2O6D0tx1EUw/S45-s35/renaborder.png" width="35" height="35" class="photo" alt=""></noscript></a></span></div>
<a href='https://www.blogger.com/profile/15728390359795931865' rel='nofollow'>&#11041;</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-6128663047737159759'>
<p>
&quot;So it&#39;s unclear how victims would be identified...&quot;<br />Maybe by trying to log in as a smilie face?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309747700345#c6128663047737159759' title='comment permalink'>
July 3, 2011 at 7:48 PM
</a>
<span class='item-control blog-admin pid-1298250375'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=6128663047737159759' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author blog-author' id='c4211449683303512074'>
<a name='c4211449683303512074'></a>
<div class="avatar-image-container vcard"><span dir="ltr"><a href="https://www.blogger.com/profile/01004765479735675808" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-4211449683303512074-01004765479735675808"><img src="https://resources.blogblog.com/img/blank.gif" width="35" height="35" class="delayLoad" style="display: none;" longdesc="//2.bp.blogspot.com/_SZCuSKORDDc/SatOgZFz6lI/AAAAAAAAGvg/15aty34H4wE/S45-s35/me.jpg" alt="" title="Chris">

<noscript><img src="//2.bp.blogspot.com/_SZCuSKORDDc/SatOgZFz6lI/AAAAAAAAGvg/15aty34H4wE/S45-s35/me.jpg" width="35" height="35" class="photo" alt=""></noscript></a></span></div>
<a href='https://www.blogger.com/profile/01004765479735675808' rel='nofollow'>Chris</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-4211449683303512074'>
<p>
@&#11041; -- trying that for every site on the internet is inefficient, possibly even prohibitive. A more sophisticated attack along these lines usually involves the backdoored software pinging back somewhere when it is launched.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309749785365#c4211449683303512074' title='comment permalink'>
July 3, 2011 at 8:23 PM
</a>
<span class='item-control blog-admin pid-1928782341'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=4211449683303512074' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c5110413014856435659'>
<a name='c5110413014856435659'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Dan">

</span></div>
Dan
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-5110413014856435659'>
<p>
If the attacker was able to view the access log for whatever server was hosting the tarball, that would probably give them a good list of IPs to go after.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309761868867#c5110413014856435659' title='comment permalink'>
July 3, 2011 at 11:44 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=5110413014856435659' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c5577806675151181706'>
<a name='c5577806675151181706'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-5577806675151181706'>
<p>
&quot;usually involves the backdoored software pinging back somewhere when it is launched.&quot;<br /><br />There haven&#39;t been enough known cases to make that claim. It&#39;s just how you would do it. It&#39;s also how one would be caught.<br /><br />As far as scanning being prohibitive, www.shodanhq.com<br /><br />EC2 for scanning is another option.<br /><br />So how did they get in?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309783880303#c5577806675151181706' title='comment permalink'>
July 4, 2011 at 5:51 AM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=5577806675151181706' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c2162976612805609607'>
<a name='c2162976612805609607'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-2162976612805609607'>
<p>
the smiley scanner was already written and launched when your code got backdoored doud... inet round robin!
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309790752675#c2162976612805609607' title='comment permalink'>
July 4, 2011 at 7:45 AM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=2162976612805609607' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c8451533870005290847'>
<a name='c8451533870005290847'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="https://www.blogger.com/profile/06233220685452634443" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-8451533870005290847-06233220685452634443"><img src="//www.blogger.com/img/blogger_logo_round_35.png" width="35" height="35" alt="" title="Rod MacPherson">

</a></span></div>
<a href='https://www.blogger.com/profile/06233220685452634443' rel='nofollow'>Rod MacPherson</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-8451533870005290847'>
<p>
&quot;So it&#39;s unclear how victims would be identified...&quot;<br /><br />Maybe the person who put the backdoor in wasn&#39;t intending to make a botnet out of the victim machines. <br /><br />Maybe they wanted to see if it would go undetected long enough that they could just assume that anyone running VSFTP was backdoored and then they could have fun hopping from site to site seeing what they now had access to. <br /><br />Or, i think more likely, they just wanted to see how long it took the VSFTP team to notice that the code had been messed with.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309801622204#c8451533870005290847' title='comment permalink'>
July 4, 2011 at 10:47 AM
</a>
<span class='item-control blog-admin pid-562450087'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=8451533870005290847' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c7734174891620991422'>
<a name='c7734174891620991422'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="https://www.blogger.com/profile/16796667000011991859" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-7734174891620991422-16796667000011991859"><img src="//www.blogger.com/img/blogger_logo_round_35.png" width="35" height="35" alt="" title="Elhoim">

</a></span></div>
<a href='https://www.blogger.com/profile/16796667000011991859' rel='nofollow'>Elhoim</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-7734174891620991422'>
<p>
Could you share a copy of the backdoored code so that i can try to write a snort rule for inclusion in emerging threats?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309805292528#c7734174891620991422' title='comment permalink'>
July 4, 2011 at 11:48 AM
</a>
<span class='item-control blog-admin pid-621882725'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=7734174891620991422' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c2327688482917331258'>
<a name='c2327688482917331258'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="https://www.blogger.com/profile/16796667000011991859" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-2327688482917331258-16796667000011991859"><img src="//www.blogger.com/img/blogger_logo_round_35.png" width="35" height="35" alt="" title="Elhoim">

</a></span></div>
<a href='https://www.blogger.com/profile/16796667000011991859' rel='nofollow'>Elhoim</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-2327688482917331258'>
<p>
Please ignore/delete my previous comment, i did not see the pastebin link. I will propose a rule addition for emergingthreats.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309805832928#c2327688482917331258' title='comment permalink'>
July 4, 2011 at 11:57 AM
</a>
<span class='item-control blog-admin pid-621882725'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=2327688482917331258' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c4323498714752716651'>
<a name='c4323498714752716651'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="http://leethack.info" target="" rel="nofollow" onclick=""><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="knull">

</a></span></div>
<a href='http://leethack.info' rel='nofollow'>knull</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-4323498714752716651'>
<p>
something like the the ProFTPD backdoor would have been more devastating (it had a HTTP GET to some server in Saudi Arabia iirc), I wonder for how long this has been backdoored? can&#39;t have been very long.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309806066863#c4323498714752716651' title='comment permalink'>
July 4, 2011 at 12:01 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=4323498714752716651' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c6653767339673043597'>
<a name='c6653767339673043597'></a>
<div class="avatar-image-container vcard"><span dir="ltr"><a href="https://www.blogger.com/profile/15518551787084170921" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-6653767339673043597-15518551787084170921"><img src="https://resources.blogblog.com/img/blank.gif" width="35" height="35" class="delayLoad" style="display: none;" longdesc="//2.bp.blogspot.com/_AWQNj-wt7io/Sawi2dbmHgI/AAAAAAAAB58/JT7kv3CLek8/S45-s35/Picture%252B7.jpg" alt="" title="Peter">

<noscript><img src="//2.bp.blogspot.com/_AWQNj-wt7io/Sawi2dbmHgI/AAAAAAAAB58/JT7kv3CLek8/S45-s35/Picture%252B7.jpg" width="35" height="35" class="photo" alt=""></noscript></a></span></div>
<a href='https://www.blogger.com/profile/15518551787084170921' rel='nofollow'>Peter</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-6653767339673043597'>
<p>
or the payload could be primary in hibernate status, until the next payload/ download is attempted ?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309807509419#c6653767339673043597' title='comment permalink'>
July 4, 2011 at 12:25 PM
</a>
<span class='item-control blog-admin pid-522118105'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=6653767339673043597' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c3287483446953677639'>
<a name='c3287483446953677639'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-3287483446953677639'>
<p>
unless they also had access to your download logs?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309808099448#c3287483446953677639' title='comment permalink'>
July 4, 2011 at 12:34 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=3287483446953677639' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c2411565910638169550'>
<a name='c2411565910638169550'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-2411565910638169550'>
<p>
Maybe they have access to download logs...
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309808173956#c2411565910638169550' title='comment permalink'>
July 4, 2011 at 12:36 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=2411565910638169550' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c6650124997395249764'>
<a name='c6650124997395249764'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="http://www.papodenerd.net" target="" rel="nofollow" onclick=""><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Mauricio">

</a></span></div>
<a href='http://www.papodenerd.net' rel='nofollow'>Mauricio</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-6650124997395249764'>
<p>
It could be a targeted attack.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309808253662#c6650124997395249764' title='comment permalink'>
July 4, 2011 at 12:37 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=6650124997395249764' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c4421228530729881365'>
<a name='c4421228530729881365'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-4421228530729881365'>
<p>
No I like to use either a drop virus or a BlindSQL, but a DoS attack shuts&#39;em up good.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309812026370#c4421228530729881365' title='comment permalink'>
July 4, 2011 at 1:40 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=4421228530729881365' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c3035741580425992675'>
<a name='c3035741580425992675'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-3035741580425992675'>
<p>
Just depends on how paranoid you want to be.  If you are targeting a specific site that you know uses this service; its pretty easy to tell when they&#39;ve &quot;upgraded&quot;.  If you watch them closely you might even know their upgrade schedule so the attack can happen (or did happen) before anyone notices.<br /><br />And while we are talking paranoia; Chris, how much would you charge to put a backdoor in this software for me? 5 figures- 6 figures- 7?    How much if its not obfuscated and easily &quot;deniable&quot;?<br /><br />I don&#39;t mean to question your integrity specifically- just to acknowledge the attack methodology across all software both opensource and closed source.<br /><br />At least if it costs 7 figures to have you place the backdoor,  people would probably have to be the target of a nation-state, as opposed to an average (income) joe they&#39;ve pissed off on IRC to be the victim of the attack.<br /><br />Across all published software, finding someone to accept such a payment seem plausible.<br /><br /><br />-Monta
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309812581406#c3035741580425992675' title='comment permalink'>
July 4, 2011 at 1:49 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=3035741580425992675' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c7208827235818633174'>
<a name='c7208827235818633174'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="D">

</span></div>
D
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-7208827235818633174'>
<p>
So if want to find out if I have the bad version of &quot;vsftpd&quot; , the way to test is to login as &quot;:)&quot; (no quotes).<br /><br />And no password?<br /><br />And do I have to use a special port to connect?<br /><br />I installed it through:<br />apt-get install vsftpd<br />(a week ago)<br /><br />Sorry for these noob questions I just started linux server.<br /><br />Thank you
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309814932897#c7208827235818633174' title='comment permalink'>
July 4, 2011 at 2:28 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=7208827235818633174' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c5217132841875319650'>
<a name='c5217132841875319650'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-5217132841875319650'>
<p>
Perhaps the person also have access to the download site logs and simply try the IP that were used to downloaded the software?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309815808164#c5217132841875319650' title='comment permalink'>
July 4, 2011 at 2:43 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=5217132841875319650' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c6964608340927132736'>
<a name='c6964608340927132736'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-6964608340927132736'>
<p>
Perhaps the person also have access to the download site logs and simply try the IP that were used to downloaded the software?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309816009789#c6964608340927132736' title='comment permalink'>
July 4, 2011 at 2:46 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=6964608340927132736' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c7573240213160476152'>
<a name='c7573240213160476152'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="http://twitter.com/eqe" target="" rel="nofollow" onclick=""><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Andy">

</a></span></div>
<a href='http://twitter.com/eqe' rel='nofollow'>Andy</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-7573240213160476152'>
<p>
Any idea how long the backdoored tarball was up, or how many people downloaded while it was up?<br /><br />What hosting provider was it on? Do they have upload logs?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309821551248#c7573240213160476152' title='comment permalink'>
July 4, 2011 at 4:19 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=7573240213160476152' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c6560995220005129887'>
<a name='c6560995220005129887'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-6560995220005129887'>
<p>
Evil smilies are evil
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309847693048#c6560995220005129887' title='comment permalink'>
July 4, 2011 at 11:34 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=6560995220005129887' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c444719671706910395'>
<a name='c444719671706910395'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="https://www.blogger.com/profile/17735127312290492108" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-444719671706910395-17735127312290492108"><img src="//www.blogger.com/img/blogger_logo_round_35.png" width="35" height="35" alt="" title="MrSnakeOil">

</a></span></div>
<a href='https://www.blogger.com/profile/17735127312290492108' rel='nofollow'>MrSnakeOil</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-444719671706910395'>
<p>
Do you know if any downstream actually (was stupid enough) to pull down and package the compromised code?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309848924241#c444719671706910395' title='comment permalink'>
July 4, 2011 at 11:55 PM
</a>
<span class='item-control blog-admin pid-231376627'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=444719671706910395' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c2003875895684751834'>
<a name='c2003875895684751834'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-2003875895684751834'>
<p>
Identifying victims isn&#39;t so hard, as long as one has access to a botnet it&#39;s just a matter of telling the bots to scan subnets and try to log onto ftp hosts using a &quot;smilie&quot;, sure, it may take some more time, but given that FTP bruteforcers are considered background noise, while an FTP server suddenly sending out (say) and email may be noticed, I think that the approach isn&#39;t totally wrong (from the &quot;attacker&quot; point of view)
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309862627612#c2003875895684751834' title='comment permalink'>
July 5, 2011 at 3:43 AM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=2003875895684751834' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c5580381119031222457'>
<a name='c5580381119031222457'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-5580381119031222457'>
<p>
Can you tell which source file(s) and functions were modified and what to look for in the code?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309878802230#c5580381119031222457' title='comment permalink'>
July 5, 2011 at 8:13 AM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=5580381119031222457' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c2220093772188805794'>
<a name='c2220093772188805794'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-2220093772188805794'>
<p>
Inefficiency is small price to pay for stealth. Pinging back somewhere risks detection by monitoring tools. Also, what proof does the author offer that he isn&#39;t responsible for the back door to begin with?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309893878458#c2220093772188805794' title='comment permalink'>
July 5, 2011 at 12:24 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=2220093772188805794' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c7172146352879076042'>
<a name='c7172146352879076042'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-7172146352879076042'>
<p>
Linus doesn&#39;t trust Google with his code....why should you?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309902492995#c7172146352879076042' title='comment permalink'>
July 5, 2011 at 2:48 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=7172146352879076042' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c2676033185818303653'>
<a name='c2676033185818303653'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-2676033185818303653'>
<p>
Or maybe they just had one particular victim in mind.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309903701405#c2676033185818303653' title='comment permalink'>
July 5, 2011 at 3:08 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=2676033185818303653' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c1908963185088745892'>
<a name='c1908963185088745892'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-1908963185088745892'>
<p>
It&#39;s even enough if the target ftp runs under that backdoored version...<br /><br />No need to inform the attacker, just a victim which update without checking the integrity ..
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309917881924#c1908963185088745892' title='comment permalink'>
July 5, 2011 at 7:04 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=1908963185088745892' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c9163503545163315673'>
<a name='c9163503545163315673'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="JamesJ">

</span></div>
JamesJ
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-9163503545163315673'>
<p>
it might be inefficient, but it&#39;s safer then having a control point that receives acks from the infected/affected boxes.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1309962226491#c9163503545163315673' title='comment permalink'>
July 6, 2011 at 7:23 AM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=9163503545163315673' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c3016198425278297477'>
<a name='c3016198425278297477'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-3016198425278297477'>
<p>
Maybe an attacker had access to logs of the compromised hosting server. Some victims, who downloded the source by the same IP address where they finally installed compiled vsftpd, could be easily identified by the attacker or eventually by you.
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1310005904984#c3016198425278297477' title='comment permalink'>
July 6, 2011 at 7:31 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=3016198425278297477' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c1424260011010140816'>
<a name='c1424260011010140816'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-1424260011010140816'>
<p>
This isn&#39;t good... have they found who did this?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1311575129700#c1424260011010140816' title='comment permalink'>
July 24, 2011 at 11:25 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=1424260011010140816' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c4338963695019113345'>
<a name='c4338963695019113345'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="http://www.infopeer.com" target="" rel="nofollow" onclick=""><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Mark">

</a></span></div>
<a href='http://www.infopeer.com' rel='nofollow'>Mark</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-4338963695019113345'>
<p>
May be someone has to raise the hand &amp; say I&#39;m the one who did that
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1327038963562#c4338963695019113345' title='comment permalink'>
January 19, 2012 at 9:56 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=4338963695019113345' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c4393300497295793488'>
<a name='c4393300497295793488'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Anonymous">

</span></div>
Anonymous
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-4393300497295793488'>
<p>
What sort of hosting did you have, that the blame lies with the web host ? surely you are responsible for your own data?
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1328963479790#c4393300497295793488' title='comment permalink'>
February 11, 2012 at 4:31 AM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=4393300497295793488' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c1258512384398969103'>
<a name='c1258512384398969103'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><a href="https://www.blogger.com/profile/04701419682177770778" target="" rel="nofollow" onclick="" class="avatar-hovercard" id="av-1258512384398969103-04701419682177770778"><img src="//www.blogger.com/img/blogger_logo_round_35.png" width="35" height="35" alt="" title="Gadelkareem">

</a></span></div>
<a href='https://www.blogger.com/profile/04701419682177770778' rel='nofollow'>Gadelkareem</a>
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-1258512384398969103'>
<p>
Another way to do that ... <a href="http://gadelkareem.com/2012/02/27/configuring-vsftpd-on-centos-with-different-port/" title="Configuring vsFTPd on CentOS with different port" rel="nofollow">Configuring vsFTPd on CentOS with different port</a>
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1331984159078#c1258512384398969103' title='comment permalink'>
March 17, 2012 at 4:35 AM
</a>
<span class='item-control blog-admin pid-771361276'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=1258512384398969103' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
<dt class='comment-author ' id='c6904103415061337341'>
<a name='c6904103415061337341'></a>
<div class="avatar-image-container avatar-stock"><span dir="ltr"><img src="//resources.blogblog.com/img/blank.gif" width="35" height="35" alt="" title="Matt &amp;quot;Breakpoint&amp;quot; Heck">

</span></div>
Matt &quot;Breakpoint&quot; Heck
said...
</dt>
<dd class='comment-body' id='Blog1_cmt-6904103415061337341'>
<p>
I&#39;m dismayed to observe that an important reason for doing this wasn&#39;t even considered: tampering with the package immediately prior to someone attempting to download a current version of it for use in the shipping firmware of an embedded system.<br /><br />In other words, if you know someone is about to obtain a package because they need to deploy it as part of an embedded system, and you can compromise the binary long enough to get it onto the master disk image, then you have compromised every instance of that product.<br /><br />That would be a high-payoff target, and would also explain the lack of an announcement of vulnerability-- if the attack is successful, you would simply know that EVERY instance of that embedded device is vulnerable.<br /><br />Another reason it is very important to verify your package hashes when preparing an embedded system (or at least use a package manager that will do so on your behalf).  Obviously, it does raise some concerns with respect to things like Buildroot, as it just gets whatever source is current for a number of things...<br /><br />--Matt &quot;Breakpoint&quot; Heck
</p>
</dd>
<dd class='comment-footer'>
<span class='comment-timestamp'>
<a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html?showComment=1342406886634#c6904103415061337341' title='comment permalink'>
July 15, 2012 at 7:48 PM
</a>
<span class='item-control blog-admin pid-1935206301'>
<a class='comment-delete' href='https://www.blogger.com/delete-comment.g?blogID=3024470480937744884&postID=6904103415061337341' title='Delete Comment'>
<img src='https://resources.blogblog.com/img/icon_delete13.gif'/>
</a>
</span>
</span>
</dd>
</dl>
</div>
<p class='comment-footer'>
<a href='https://www.blogger.com/comment.g?blogID=3024470480937744884&postID=8002854809504309795' onclick=''>Post a Comment</a>
</p>
</div>
</div>

        </div></div>
      
</div>
<div class='blog-pager' id='blog-pager'>
<span id='blog-pager-newer-link'>
<a class='blog-pager-newer-link' href='https://scarybeastsecurity.blogspot.com/2012/01/dirty-secret-of-browser-security-1.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a>
</span>
<span id='blog-pager-older-link'>
<a class='blog-pager-older-link' href='https://scarybeastsecurity.blogspot.com/2011/05/libxml-vulnerability-and-interesting.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>
</span>
<a class='home-link' href='https://scarybeastsecurity.blogspot.com/'>Home</a>
</div>
<div class='clear'></div>
<div class='post-feeds'>
<div class='feed-links'>
Subscribe to:
<a class='feed-link' href='https://scarybeastsecurity.blogspot.com/feeds/8002854809504309795/comments/default' target='_blank' type='application/atom+xml'>Post Comments (Atom)</a>
</div>
</div>
</div></div>
</div>
</div>
<div class='column-left-outer'>
<div class='column-left-inner'>
<aside>
</aside>
</div>
</div>
<div class='column-right-outer'>
<div class='column-right-inner'>
<aside>
<div class='sidebar section' id='sidebar-right-1'><div class='widget Text' data-version='1' id='Text1'>
<div class='widget-content'>
Subscribe to my Twitter feed: <a href="https://twitter.com/scarybeasts">@scarybeasts</a>.
</div>
<div class='clear'></div>
</div><div class='widget Subscribe' data-version='1' id='Subscribe1'>
<div style='white-space:nowrap'>
<h2 class='title'>Subscribe To ScarybeastSecurity</h2>
<div class='widget-content'>
<div class='subscribe-wrapper subscribe-type-POST'>
<div class='subscribe expanded subscribe-type-POST' id='SW_READER_LIST_Subscribe1POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fscarybeastsecurity.blogspot.com%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fscarybeastsecurity.blogspot.com%2Ffeeds%2Fposts%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://scarybeastsecurity.blogspot.com/feeds/posts/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Posts
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div class='subscribe-wrapper subscribe-type-PER_POST'>
<div class='subscribe expanded subscribe-type-PER_POST' id='SW_READER_LIST_Subscribe1PER_POST' style='display:none;'>
<div class='top'>
<span class='inner' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
<div class='feed-reader-links'>
<a class='feed-reader-link' href='https://www.netvibes.com/subscribe.php?url=https%3A%2F%2Fscarybeastsecurity.blogspot.com%2Ffeeds%2F8002854809504309795%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-netvibes.png'/>
</a>
<a class='feed-reader-link' href='https://add.my.yahoo.com/content?url=https%3A%2F%2Fscarybeastsecurity.blogspot.com%2Ffeeds%2F8002854809504309795%2Fcomments%2Fdefault' target='_blank'>
<img src='https://resources.blogblog.com/img/widgets/subscribe-yahoo.png'/>
</a>
<a class='feed-reader-link' href='https://scarybeastsecurity.blogspot.com/feeds/8002854809504309795/comments/default' target='_blank'>
<img align='absmiddle' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
                  Atom
                </a>
</div>
</div>
<div class='bottom'></div>
</div>
<div class='subscribe' id='SW_READER_LIST_CLOSED_Subscribe1PER_POST' onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<div class='top'>
<span class='inner'>
<img class='subscribe-dropdown-arrow' src='https://resources.blogblog.com/img/widgets/arrow_dropdown.gif'/>
<span onclick='return(_SW_toggleReaderList(event, "Subscribe1PER_POST"));'>
<img align='absmiddle' alt='' border='0' class='feed-icon' src='https://resources.blogblog.com/img/icon_feed12.png'/>
Comments
</span>
</span>
</div>
<div class='bottom'></div>
</div>
</div>
<div style='clear:both'></div>
</div>
</div>
<div class='clear'></div>
</div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'>
<h2>Blog Archive</h2>
<div class='widget-content'>
<div id='ArchiveList'>
<div id='BlogArchive1_ArchiveList'>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2021/'>
2021
</a>
<span class='post-count' dir='ltr'>(1)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2021/05/'>
May
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2020/'>
2020
</a>
<span class='post-count' dir='ltr'>(7)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2020/12/'>
December
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2020/11/'>
November
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2020/07/'>
July
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2020/06/'>
June
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2020/04/'>
April
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2017/'>
2017
</a>
<span class='post-count' dir='ltr'>(10)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2017/09/'>
September
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2017/06/'>
June
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2017/05/'>
May
</a>
<span class='post-count' dir='ltr'>(7)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2017/03/'>
March
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2016/'>
2016
</a>
<span class='post-count' dir='ltr'>(7)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2016/12/'>
December
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2016/11/'>
November
</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2015/'>
2015
</a>
<span class='post-count' dir='ltr'>(1)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2015/07/'>
July
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2014/'>
2014
</a>
<span class='post-count' dir='ltr'>(5)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2014/09/'>
September
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2014/06/'>
June
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2014/03/'>
March
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2014/02/'>
February
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2013/'>
2013
</a>
<span class='post-count' dir='ltr'>(2)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2013/12/'>
December
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2013/02/'>
February
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/'>
2012
</a>
<span class='post-count' dir='ltr'>(9)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/09/'>
September
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/07/'>
July
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/04/'>
April
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/03/'>
March
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/02/'>
February
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2012/01/'>
January
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate expanded'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy toggle-open'>

        &#9660;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/'>
2011
</a>
<span class='post-count' dir='ltr'>(10)</span>
<ul class='hierarchy'>
<li class='archivedate expanded'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy toggle-open'>

        &#9660;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/07/'>
July
</a>
<span class='post-count' dir='ltr'>(1)</span>
<ul class='posts'>
<li><a href='https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html'>Alert: vsftpd download backdoored</a></li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/05/'>
May
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/04/'>
April
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/03/'>
March
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/02/'>
February
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2011/01/'>
January
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/'>
2010
</a>
<span class='post-count' dir='ltr'>(11)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/10/'>
October
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/09/'>
September
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/08/'>
August
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/07/'>
July
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/06/'>
June
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/03/'>
March
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2010/01/'>
January
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/'>
2009
</a>
<span class='post-count' dir='ltr'>(29)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/12/'>
December
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/11/'>
November
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/10/'>
October
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/09/'>
September
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/08/'>
August
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/07/'>
July
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/06/'>
June
</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/05/'>
May
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/03/'>
March
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/02/'>
February
</a>
<span class='post-count' dir='ltr'>(4)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2009/01/'>
January
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/'>
2008
</a>
<span class='post-count' dir='ltr'>(20)</span>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/12/'>
December
</a>
<span class='post-count' dir='ltr'>(2)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/11/'>
November
</a>
<span class='post-count' dir='ltr'>(5)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/10/'>
October
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/08/'>
August
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/07/'>
July
</a>
<span class='post-count' dir='ltr'>(5)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/03/'>
March
</a>
<span class='post-count' dir='ltr'>(1)</span>
</li>
</ul>
<ul class='hierarchy'>
<li class='archivedate collapsed'>
<a class='toggle' href='javascript:void(0)'>
<span class='zippy'>

        &#9658;&#160;
      
</span>
</a>
<a class='post-count-link' href='https://scarybeastsecurity.blogspot.com/2008/02/'>
February
</a>
<span class='post-count' dir='ltr'>(3)</span>
</li>
</ul>
</li>
</ul>
</div>
</div>
<div class='clear'></div>
</div>
</div><div class='widget LinkList' data-version='1' id='LinkList1'>
<h2>My other stuff</h2>
<div class='widget-content'>
<ul>
<li><a href='http://scary.beasts.org/'>My security advisories</a></li>
<li><a href='http://vsftpd.beasts.org/'>vsftpd home page</a></li>
<li><a href='http://taviso.decsystem.org/research.html'>Tavis' security advisories</a></li>
</ul>
<div class='clear'></div>
</div>
</div></div>
</aside>
</div>
</div>
</div>
<div style='clear: both'></div>
<!-- columns -->
</div>
<!-- main -->
</div>
</div>
<div class='main-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
<footer>
<div class='footer-outer'>
<div class='footer-cap-top cap-top'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
<div class='fauxborder-left footer-fauxborder-left'>
<div class='fauxborder-right footer-fauxborder-right'></div>
<div class='region-inner footer-inner'>
<div class='foot no-items section' id='footer-1'></div>
<table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'>
<tbody>
<tr>
<td class='first columns-cell'>
<div class='foot no-items section' id='footer-2-1'></div>
</td>
<td class='columns-cell'>
<div class='foot no-items section' id='footer-2-2'></div>
</td>
</tr>
</tbody>
</table>
<!-- outside of the include in order to lock Attribution widget -->
<div class='foot section' id='footer-3' name='Footer'><div class='widget Attribution' data-version='1' id='Attribution1'>
<div class='widget-content' style='text-align: center;'>
Simple theme. Theme images by <a href='https://www.istockphoto.com/googleimages.php?id=4072573&amp;platform=blogger&langregion=en' target='_blank'>gaffera</a>. Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>.
</div>
<div class='clear'></div>
</div></div>
</div>
</div>
<div class='footer-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</footer>
<!-- content -->
</div>
</div>
<div class='content-cap-bottom cap-bottom'>
<div class='cap-left'></div>
<div class='cap-right'></div>
</div>
</div>
</div>
<script type='text/javascript'>
    window.setTimeout(function() {
        document.body.className = document.body.className.replace('loading', '');
      }, 10);
  </script>
<!--It is your responsibility to notify your visitors about cookies used and data collected on your blog. Blogger makes a standard notification available for you to use on your blog, and you can customise it or replace it with your own notice. See http://www.blogger.com/go/cookiechoices for more details.-->
<script defer='' src='/js/cookienotice.js'></script>
<script>
    document.addEventListener('DOMContentLoaded', function(event) {
      window.cookieChoices && cookieChoices.showCookieConsentBar && cookieChoices.showCookieConsentBar(
          (window.cookieOptions && cookieOptions.msg) || 'This site uses cookies from Google to deliver its services and to analyse traffic. Your IP address and user agent are shared with Google, together with performance and security metrics, to ensure quality of service, generate usage statistics and to detect and address abuse.',
          (window.cookieOptions && cookieOptions.close) || 'Ok',
          (window.cookieOptions && cookieOptions.learn) || 'Learn more',
          (window.cookieOptions && cookieOptions.link) || 'https://www.blogger.com/go/blogspot-cookies');
    });
  </script>

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1434883710-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY6zQeWNly3Nk8a1EbubXQOH3EWY8A:1640304721368';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d3024470480937744884','//scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html','3024470480937744884');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '3024470480937744884', 'title': 'Security', 'url': 'https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html', 'canonicalUrl': 'https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html', 'homepageUrl': 'https://scarybeastsecurity.blogspot.com/', 'searchUrl': 'https://scarybeastsecurity.blogspot.com/search', 'canonicalHomepageUrl': 'https://scarybeastsecurity.blogspot.com/', 'blogspotFaviconUrl': 'https://scarybeastsecurity.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Security - Atom\x22 href\x3d\x22https://scarybeastsecurity.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Security - RSS\x22 href\x3d\x22https://scarybeastsecurity.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Security - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/3024470480937744884/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Security - Atom\x22 href\x3d\x22https://scarybeastsecurity.blogspot.com/feeds/8002854809504309795/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'ieCssRetrofitLinks': '\x3c!--[if IE]\x3e\x3cscript type\x3d\x22text/javascript\x22 src\x3d\x22https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js\x22\x3e\x3c/script\x3e\n\x3c![endif]--\x3e', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/20752fd4df382411', 'plusOneApiSrc': 'https://apis.google.com/js/plusone.js', 'disableGComments': true, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '8002854809504309795', 'pageName': 'Alert: vsftpd download backdoored', 'pageTitle': 'Security: Alert: vsftpd download backdoored'}}, {'name': 'features', 'data': {'sharing_get_link_dialog': 'true', 'sharing_native': 'false'}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'Simple', 'localizedName': 'Simple', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': false, 'variant': 'wide', 'variantId': 'wide'}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Alert: vsftpd download backdoored', 'description': '[With thanks to Mathias Kresin for being the first to notice]   An incident, what fun! Earlier today, I was alerted that a vsftpd download f...', 'url': 'https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 8002854809504309795}}]);
_WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/1619306617-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_TextView', new _WidgetInfo('Text1', 'sidebar-right-1', document.getElementById('Text1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar-right-1', document.getElementById('Subscribe1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar-right-1', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList1', 'sidebar-right-1', document.getElementById('LinkList1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull'));
</script>
</body>
</html>